Hacked again. (19 posts)

For the second time in two weeks, my website, 37report.com, has been hacked. I'm pretty pissed off. I have the newest release of WordPress, and this is still happening. I'm going to remove it from my site if no one has any ideas on how to stop this. :(

Odds are, WordPress is not at fault. What other scripts do you have running? are you on a shared host that does not have open_basedir or safe_mode restrictions on? Have you set unnecessary file permissions like 777 on essential files?

I just got hacked, too. This afternoon. I have 1.5.3.1, am in the process of preparing to upgrade to 1.5.2.

What happened: It looks as tho there was an outage at ipowerweb.com, my hosting service. Everything went down, including their home page. (This also happened during thepower outage in L.A.). Site came up again quickly, within about 10-15 minutse. When my blogs came back up, it looked a bit odd. (rather than header appearing at top, flush, no top margin, it hung down a bit). In about an hour's time, I had the chance to go to the control panel. Where I got error messages.

Warning: Cannot modify header information - headers already sent by (output started at /home/i2020hin/public_html/wp/wp-includes/wp-db.php:359) in /home/i2020hin/public_html/wp/wp-admin/admin.php on line 10

Same error message, for line 11, 12, 13

It wasn't until I viewed source that I saw the problem. There is some marquee tag at the top. It begins like this:

<marquee width=1 height=1> and is followed by boatloads of links to spam locations. We're talking drugs that have letters at begin and end, similar to xerox. Drugs with names of three syllables, beginning with an f sound, but spelled with a p and an h.

The length of the inserted code is about 133,000+ characters.

So that's what it looks like, and I'm trying to do a fresh install of 1.5.2 in hopes that it goes away. I'll keep you posted.

I guess in a loose sense "The Software may not be used for anything that would represent or is associated with an Intellectual Property violation, including, but not limited to, engaging in any activity that infringes or misappropriates the intellectual property rights of others, including copyrights, trademarks, service marks, trade secrets, software piracy, and patents held by individuals, corporations, or other entities." would apply to hacking and I'm sure Jelsoft wouldn't appreciate it anyway so they may terminate the license.

Upgrade to 1.5.2 complete. Marquee hack is still taking place. After further investigation, I think it was something that happened to the server. The server vDeck control panel software also has the marquee thing in it. And every single static page has the marquee thing down at the bottom of the page. That, and the hold time for technical support is taking for ever and ever, which means that they must be scrambling like crazy to deal with this (I hope).

AuntAlias: sounds like something server wide, with a header being inserted through Apache somehow. That sort of thing should be rectified petty much immediately and really shouldn't happen at a quality host in the first place so I highly recommend looking for another host.

Confirmed by host: it was on that particular server. Not server-farm wide. But my host. Arrgh. Well, I'm off to do what I originally planned to do for the evening. And I still have to wait for them to do whatever to get rid of it. Thanks or your comment, jasone.

I don't know if anyone is still reading this thread because I haven't posted again since starting it. It turns out the hackers changed the passwords for my Cpanel and my FTP accounts, so I cannot log in to do anything. It takes my host (Netrillium.net) days to respond to anything, and they don't have a phone number posted on their website in the spot next to "Phone number:" so I can't call them. I'm not sure what I'm going to do to fix my site, but I did install a more powerful firewall, and I doubt any hacker will be able to get through. I'm still angry this happened. I might just shut down my site. I don't have the motivation or time to entirely write another layout for my site, and I haven't found a pre-made one that I like. Yay. If anyone does read this, write a response, and maybe we can still figure something out.

My host reset the passwords for my Cpanel and FTP account, but now I have a new problem. The hacker also changed the password for my WP login, so I used PHPMyAdmin to reset it. Unfortunately, for some reason now my 37report.com/wp-login.php file won't work. When I try to access it, it redirects me to 37report.com/wp-admin and says the file is not available. Does anyone know why this might be?

Also, I am deleting files that the hacker left behind. In the folder ".trash" there is a file called ".trash_restore" and the file itself says:
"=/home/report/
index.php=/home/report/index.php"
Could I use this file to restore my old index file? Or should I delete it? Is there any way to easily restore everything the way it was?